Threat Research

Round 3: More Neurevt DDoS Attacks

By He Xu | April 30, 2014

Neurevt DDoS attacks are endless. Our Fortinet botnet monitoring system found more DDoS attacks raised by Neurevt.

UDP Attack

About two weeks ago (April 18), Neurevt began to perform new DDoS attacks on a web site that is located in the British Virgin Islands. The domain has the suffix .ru, which means it belongs to Russia. The attack method is only UDP, and the target port is 80, which is the default for web browsing. This web site is an online forum on finance and investing.

HTTP GET Attacks

Two days later (April 20), the Neurevt command-and control (C&C) server sent two new DDoS attack commands to interrupt two Turkish gaming websites. Both of these attacks use the HTTP GET method that was discussed here.

Target 1

The first domain has been registered in Istanbul, Turkey. According to our investigation, this web site is protected by a third party Anti-DDoS service, the IP associated with this domain is located in San Francisco, USA.

Neurevt Round3 1

Figure 1. TCP initial connection attempt.

Because the web site was unreachable (Figure 1), the route was redirected to the Anti-DDoS service's server.

Neurevt Round3 2

Figure 2. Anti-DDoS service for first web site.

Visitors of the affected web site could still view the static homepage, but all other functions in the page were unavailable.

As we have seen, the Neurevt HTTP GET attack pattern is simple; it just tries to fetch the homepage of the target domain, and the Accept format is for audio/mpeg media types.

Target 2

The second domain is located in Bursa, Turkey. Like the previous web site, this one is also protected by the Anti-DDoS service.

Neurevt Round3 3

Figure 3. Anti-DDoS service for second web site.


Neurevt has been quite effective in its DDoS features, as evidenced by the targeted domains being almost down whenever we capture the attacks. However, these attacks have also shown us that some web sites are not like lambs waiting to be slaughtered, but are using advanced technology in order to protect themselves.

We will continue to keep an eye on the future activities of Neurevt through our botnet monitoring system and will keep you posted on further developments.

Join the Discussion